Pierluigi Paganini December 21, 2016

A new Linux malware, dubbed Linux/Rakos is threatening devices and servers. The malware searches for victims via SSH scan.

A new Linux malware, dubbed Linux/Rakos is threatening devices and servers. The malicious code is written in the Go language and the binary is usually compressed with the standard  UPX tool.

Apparently, frustrated users complain more often recently on various forums about their embedded devices being overloaded with computing and network tasks.

The attack is carried out via brute force attempts at SSH logins like many other Linux malware, including Linux/Moose. The new Linux/Rakos is able to compromise both embedded devices and servers with an open SSH port which is protected by an easy-to-guess password. The malware once compromised a device is able to recruit is in a botnet that could be abused for several malicious activities. The malware starts scanning the internet from a limited list IP addresses, then it spreads incrementally to more targets.

In some cases, attackers were able to compromise devices protected with a strong password that anyway had online service enabled and it was reverted to a default password after a factory reset.

The attack chain starts with the loading of a configuration file via standard input (stdin) in YAML format, the file contains information like lists of C&Cs, all the list of credentials to use in the brute force attacks against targets devices.

An example of Linux/Rakos configuration is available on ESET’s Github: https://github.com/eset/malware-ioc/tree/master/rakos.

As the second step, the malware starts a local HTTP service available at http://127.0.0.1:61314.

“There are two reasons why this is installed: the first is as a cunning method for the future versions of the bot to kill the running instances regardless of their name by requesting http://127.0.0.1:61314/et; second, it tries to parse a URL query for parameters “ip”, “u”, “p” by requesting http://127.0.0.1:61314/ex. The purpose of this /ex HTTP resource is still unclear at the time of writing and it seems not to be referenced elsewhere in the code.” reads the analysis published by ESET.

Experts from ESET also noticed that Linux malware creates a web server listening on all interfaces.

The bot scans the SSH service on various IP addresses obtained from the C&C server. Malware researchers also noticed that previous versions of the trojan also scanned for the SMTP service, a feature that is disabled in current versions.

When the malware is able to access a device with its credentials it runs two commands (id, uname -m). Then the malicious code checks whether if it is possible to upload to the new victim and goes on.

The backdoor is able to update the configuration file (from https://{C&C}/upgrade/vars.yaml) and also to upgrade itself.

The Linux/Rakos isn’t able to maintain persistence after the system is rebooted. Researchers at ESET provided the following suggestions to clean up infected devices:

• connect to your device using SSH/Telnet,
• look for a process named .javaxxx,
• run commands like netstat or lsof with -n switch to confirm that it is responsible for unwanted connections,
• (voluntarily) collect forensic evidence by dumping the memory space of the corresponding process (with gcore for example). One could also recover the deleted sample from /proc with cp /proc/{pid}/exe {output_file}
• the process with the -KILL

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Linux/Rakos, malware)